How I managed to get shell access to groklearning.com

groklearning.com provides a platform for online education where one
can learn how to program in Python.

It is one of these projects that make the world better by providing
online & free education to people. If you are new to programming and
want to learn some Python, I’d suggest you visit
groklearning.com site and take some (why
not all) of the courses they have!

I’ve been using groklearning.com myself and have been telling friends
about it who wish to learn Python, but don’t know where to start from.

Using groklearning.com you can write your Python script, which in turn
is executed and result is displayed back to the user. This is very
cool, because you don’t have to bring Python with you all the time and
simply use it from your browser, but this also comes with a risk…

What if someone manages to make the system serve a different
purpose..? What if someone manages to turn this into a weapon..?

In this post we are going to explore the security of groklearning.com
by trying to get shell access to the systems.

DISCLAIMER: The information provided here is for educational purposes
only! Any unauthorized attempts to use this information for malicious
acts may be disclosed to law enforcement authorities and result in
criminal prosecution!

From the output of the above script I was able to identify a number of
things about the system, such as OS, Virtualization technology being
used, etc..

Having a look around

It was time to have a look around and see what we’ve got on this
system. I’ve started checking what’s in /bin, /usr/bin, and other
directories in order to identify anything that could be used as a
weapon.

The system running my Python script was stripped down a bit, so you
won’t find all the UNIX/Linux tools you usually find on a default
installation of a GNU/Linux system for example.

I wasn’t really hoping much for anything to happen, but then I got
result back which was:

GNU bash, version 4.2.37(1)-release(i686-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Okay, now I knew I could start a shell on the remote system, but I
couldn’t do much with it… at least for now…

Is outbound traffic allowed?

Time to check if outbound traffic is allowed. If outbound traffic was
allowed I could write up a Python script which would spawn a reverse
shell for me and grant me access.. Only if outbound traffic is
allowed..

So, I’ve used this script to verify that outbound HTTP traffic is
allowed.

This time I managed to get my reserve shell and get access to the
system running the groklearning.com Python code.

At this point I stopped and decided it was time to let the Security
Team at groklearning.com know about the security issue.

Fixing the issue

Soon after I managed to get shell access to the system I mailed the
Security Team at groklearning.com about this issue.

After sending the mail soon enough one of the guys from Security Team
at groklearning.com contacted me and we had a conversation about the
issue in order to further identify the root cause. A bit later the
security issue was fixed and creating a reverse shell was no longer
possible.

Now, we can all be a bit happier that
groklearning.com is a bit safer than
before with patching that security issue and continues to serve it’s
mission to educate people! :)